Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5634
HistoryJan 14, 2004 - 12:00 a.m.

CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities

2004-01-1400:00:00
vulners.com
10

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities

Original release date: January 13, 2004
Last revised: –
Source: CERT/CC, NISCC

A complete revision history can be found at the end of this file.

Systems Affected

 * Many  software  and  hardware  systems  that  implement  the H.323
   protocol

   Examples include
      + Voice over Internet Protocol (VoIP) devices and software
      + Video conferencing equipment and software
      + Session Initiation Protocol (SIP) devices and software
      + Media Gateway Control Protocol (MGCP) devices and software
      + Other  networking  equipment  that  may process H.323 traffic
        (e.g., routers and firewalls)

Overview

A number of vulnerabilities have been discovered in various
implementations of the multimedia telephony protocol H.323. Voice over
Internet Protocol (VoIP) and video conferencing equipment and software
can use these protocols to communicate over a variety of computer
networks.

I. Description

The U.K. National Infrastructure Security Co-ordination Centre (NISCC)
has reported multiple vulnerabilities in different vendor
implementations of the multimedia telephony protocol H.323. H.323 is
an international standard protocol, published by the International
Telecommunications Union, used to facilitate communication among
telephony and multimedia systems. Examples of such systems include
VoIP, video-conferencing equipment, and network devices that manage
H.323 traffic. A test suite developed by NISCC and the University of
Oulu Security Programming Group (OUSPG) has exposed multiple
vulnerabilities in a variety of implementations of the H.323 protocol
(specifically its connection setup sub-protocol H.225.0).

Information about individual vendor H.323 implementations is available
in the Vendor Information section below, and in the Vendor Information
section of NISCC Vulnerability Advisory 006489/H323.

The U.K. National Infrastructure Security Co-ordination Centre is
tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC is
tracking this issue as VU#749342. This reference number corresponds to
CVE candidate CAN-2003-0819, as referenced in Microsoft Security
Bulletin MS04-001.

II. Impact

Exploitation of these vulnerabilities may result in the execution of
arbitrary code or cause a denial of service, which in some cases may
require a system reboot.

III. Solution

Apply a patch or upgrade

Appendix A and the Systems Affected section of Vulnerability Note
VU#749342 contain information provided by vendors for this advisory
(<http://www.kb.cert.org/vuls/id/749342#systems&gt;&#41;.

However, as vendors report new information to the CERT/CC, we will
only update VU#749342. If a particular vendor is not listed, we have
not received their comments. Please contact your vendor directly.

Filter network traffic

Sites are encouraged to apply network packet filters to block access
to the H.323 services at network borders. This can minimize the
potential of denial-of-service attacks originating from outside the
perimeter. The specific services that should be filtered include

 * 1720/TCP
 * 1720/UDP

If access cannot be filtered at the network perimeter, the CERT/CC
recommends limiting access to only those external hosts that require
H.323 for normal operation. As a general rule, filtering all types of
network traffic that are not required for normal operation is
recommended.

It is important to note that some firewalls process H.323 packets and
may themselves be vulnerable to attack. As noted in some vendor
recommendations like Cisco Security Advisory 20040113-h323 and
Microsoft Security Bulletin MS04-001, certain sites may actually want
to disable application layer inspection of H.323 network packets.

Protecting your infrastructure against these vulnerabilities may
require careful coordination among application, computer, network, and
telephony administrators. You may have to make tradeoffs between
security and functionality until vulnerable products can be updated.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this
advisory. Please see the Systems Affected section of Vulnerability
Note VU#749342 and the Vendor Information section of NISCC
Vulnerability Advisory 006489/H323 for the latest information
regarding the response of the vendor community to this issue.

3Com

 No  statement is currently available from the vendor regarding this
 vulnerability.

Alcatel

 No  statement is currently available from the vendor regarding this
 vulnerability.

Apple Computer Inc.

 Apple:  Not Vulnerable. Mac OS X and Mac OS X Server do not contain
 the issue described in this note.

AT&T

 No  statement is currently available from the vendor regarding this
 vulnerability.

Avaya

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Borderware

 No  statement is currently available from the vendor regarding this
 vulnerability.

Check Point

 No  statement is currently available from the vendor regarding this
 vulnerability.

BSDI

 No  statement is currently available from the vendor regarding this
 vulnerability.

Cisco Systems Inc.

 Please see
 http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml

Clavister

 No  statement is currently available from the vendor regarding this
 vulnerability.

Computer Associates

 No  statement is currently available from the vendor regarding this
 vulnerability.

Cyberguard

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Debian

 No  statement is currently available from the vendor regarding this
 vulnerability.

D-Link Systems

 No  statement is currently available from the vendor regarding this
 vulnerability.

Conectiva

 No  statement is currently available from the vendor regarding this
 vulnerability.

EMC Corporation

 No  statement is currently available from the vendor regarding this
 vulnerability.

Engarde

 No  statement is currently available from the vendor regarding this
 vulnerability.

eSoft

 We  don&#39;t  have an H.323 implementation and thus aren&#39;t affected by
 this.

Extreme Networks

 No  statement is currently available from the vendor regarding this
 vulnerability.

F5 Networks

 No  statement is currently available from the vendor regarding this
 vulnerability.

Foundry Networks Inc.

 No  statement is currently available from the vendor regarding this
 vulnerability.

FreeBSD

 No  statement is currently available from the vendor regarding this
 vulnerability.

Fujitsu

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Global Technology Associates

 No  statement is currently available from the vendor regarding this
 vulnerability.

Hitachi

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Hewlett-Packard Company

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Ingrian Networks

 No  statement is currently available from the vendor regarding this
 vulnerability.

Intel

 No  statement is currently available from the vendor regarding this
 vulnerability.

Intoto

 No  statement is currently available from the vendor regarding this
 vulnerability.

Juniper Networks

 No  statement is currently available from the vendor regarding this
 vulnerability.

Lachman

 No  statement is currently available from the vendor regarding this
 vulnerability.

Linksys

 No  statement is currently available from the vendor regarding this
 vulnerability.

Lotus Software

 No  statement is currently available from the vendor regarding this
 vulnerability.

Lucent Technologies

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Microsoft Corporation

 Please see
 http://www.microsoft.com/technet/security/bulletin/MS04-001.asp

MontaVista Software

 No  statement is currently available from the vendor regarding this
 vulnerability.

MandrakeSoft

 No  statement is currently available from the vendor regarding this
 vulnerability.

Multi-Tech Systems Inc.

 No  statement is currently available from the vendor regarding this
 vulnerability.

NEC Corporation

 No  statement is currently available from the vendor regarding this
 vulnerability.

NetBSD

 NetBSD  does  not  ship  any  H.323  implementations as part of the
 Operating System.

 There  are a number of third-party implementations available in the
 pkgsrc  system.  As  these  products are found to be vulnerable, or
 updated,   the   packages   will   be   updated   accordingly.  The
 audit-packages  mechanism can be used to check for known-vulnerable
 package versions.

Netfilter

 No  statement is currently available from the vendor regarding this
 vulnerability.

NetScreen

 No  statement is currently available from the vendor regarding this
 vulnerability.

Network Appliance

 No  statement is currently available from the vendor regarding this
 vulnerability.

Nokia

 No  statement is currently available from the vendor regarding this
 vulnerability.

Nortel Networks

 The  following  Nortel  Networks  Generally  Available products and
 solutions   are   potentially   affected   by  the  vulnerabilities
 identified  in  NISCC  Vulnerability  Advisory 006489/H323 and CERT
 VU#749342:

 Business Communications Manager &#40;BCM&#41; &#40;all versions&#41; is potentially
 affected;  more  information is available in Product Advisory Alert
 No. PAA 2003-0392-Global.

 Succession  1000  IP  Trunk  and  IP  Peer  Networking,  and 802.11
 Wireless  IP  Gateway are potentially affected; more information is
 available in Product Advisory Alert No. PAA-2003-0465-Global.

 For more information please contact

 North America: 1-800-4NORTEL or 1-800-466-7835
 Europe, Middle East and Africa: 00800 8008 9009,
 or +44 &#40;0&#41; 870 907 9009

 Contacts for other regions are available at

 http://www.nortelnetworks.com/help/contact/global/

 Or visit the eService portal at http://www.nortelnetworks.com/cs
 under Advanced Search.

 If  you  are a channel partner, more information can be found under

 http://www.nortelnetworks.com/pic

 under Advanced Search.

Novell

 No  statement is currently available from the vendor regarding this
 vulnerability.

Objective Systems Inc.

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

OpenBSD

 No  statement is currently available from the vendor regarding this
 vulnerability.

Openwall GNU/*/Linux

 No  statement is currently available from the vendor regarding this
 vulnerability.

RadVision

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Red Hat Inc.

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Oracle Corporation

 No  statement is currently available from the vendor regarding this
 vulnerability.

Riverstone Networks

 No  statement is currently available from the vendor regarding this
 vulnerability.

Secure Computing Corporation

 No  statement is currently available from the vendor regarding this
 vulnerability.

SecureWorks

 No  statement is currently available from the vendor regarding this
 vulnerability.

Sequent

 No  statement is currently available from the vendor regarding this
 vulnerability.

Sony Corporation

 No  statement is currently available from the vendor regarding this
 vulnerability.

Stonesoft

 No  statement is currently available from the vendor regarding this
 vulnerability.

Sun Microsystems Inc.

 Sun  SNMP  does  not  provide  support  for  H.323,  so  we are not
 vulnerable.  And so far we have not found any bundled products that
 are   affected   by   this  vulnerability.  We  are  also  actively
 investigating  our  unbundled products to see if they are affected.
 Updates   will  be  provided  to  this  statement  as  they  become
 available.

SuSE Inc.

 No  statement is currently available from the vendor regarding this
 vulnerability.

Symantec Corporation

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Unisys

 No  statement is currently available from the vendor regarding this
 vulnerability.

TandBerg

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

Tumbleweed Communications Corp.

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

TurboLinux

 No  statement is currently available from the vendor regarding this
 vulnerability.

uniGone

 Please   see   the  NISCC  Vulnerability  Advisory  006489/H323  at
 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm

WatchGuard

 No  statement is currently available from the vendor regarding this
 vulnerability.

Wirex

 No  statement is currently available from the vendor regarding this
 vulnerability.

Wind River Systems Inc.

 No  statement is currently available from the vendor regarding this
 vulnerability.

Xerox

 No  statement is currently available from the vendor regarding this
 vulnerability.

ZyXEL

 No  statement is currently available from the vendor regarding this
 vulnerability.
 _________________________________________________________________

The CERT Coordination Center thanks the NISCC Vulnerability Management
Team and the University of Oulu Security Programming Group (OUSPG) for
coordinating the discovery and release of the technical details of
this issue.
_________________________________________________________________

Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi J.
McDowell, Shawn V. Hernan and Jason A. Rafail


This document is available from:
http://www.cert.org/advisories/CA-2004-01.html


CERT/CC Contact Information

Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site
http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,
send email to [email protected]. Please include in the body of your
message

subscribe cert-advisory

  • "CERT" and "CERT Coordination Center" are registered in the U.S.
    Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 2004 Carnegie Mellon University.

Revision History
January 13, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQASK7JZ2NNT/dVAVAQG65wP8C7DyEvZGz0HqXtRqk+PAjjpMqex1hdjT
BfkT6oHMhTWIdvUE1mpAwnV7OPL+N+UugCC0bAEXQzBy/YkBBOptt7IZdIeOlInh
AP0RO5zqt0GqMIrdW7P14iWBX2lLCQaMUgWNyvK4ZTNE9UzpOgBk2JonfBLjbH77
KeVgAqcfP2M=
=p0GQ
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:5634